Skip to content

Single Sign-On (SSO) Settings

This guide will take you through everything related to the configuration of Single Sign-On (SSO) in Keystash. The Single Sign-On (SSO) settings page allows you to configure SSO with Google Workspace and Microsoft 365/Azure/Entra.

Single Sign-On (SSO) is a centralized authentication process that enables users to access Keystash using their Google Workspace or Microsoft 365/Azure/Entra account credentials. Keystash uses the OpenID Connect protocol (OAuth 2.0) to authenticate users. To enable SSO, you must configure an identity provider.


Single Sign-On is only available on the Business plan. Please upgrade your account if you wish to use this feature

There are two specific guides on how to configure SSO for Keystash:

Configure SSO for Google

Configure SSO for Microsoft 365


What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications like Keystash with a single set of login credentials. It streamlines the user experience by eliminating the need to log in separately to each application, thereby reducing password fatigue and improving security. SSO uses protocols like OAuth 2.0 and OpenID Connect to securely manage and verify user identities across different platforms.

Can I use more than one identity provider for SSO in Keystash?

Unfortunately not. Keystash can only use one identity provider for SSO at a time. You can choose to configure SSO with either Google Workspace or Microsoft 365/Azure/Entra. However, identity providers like Microsoft Entra allow for delegation to other identity providers, such as Google Workspace, to provide a seamless SSO experience for users.

Do all users need to use SSO to access Keystash?

No, users can still use a username and password to log in to Keystash if SSO is enabled. When creating a user account you can choose to invite the user via SSO or to create a local account.

Can Keystash automatically create user accounts from the information provided by the identity provider?

Yes, Keystash can automatically create user accounts for new users who log in via SSO. This feature is called Auto User Provisioning and can be enabled in the SSO settings. You will need to select a default role that will be assigned to the new user account.

What if I have already created users before I enabled Single Sign-on?

When an existing user logs in via Single Sign-on and Auto User Provisioning is enabled, then Keystash will attempt to match the user's email address with an existing user account. If a match is found, the user account will be updated with the single sign-on details and the user will be logged in using the existing account.

Note: The users existing role and permissions will remain as-is and will not be updated by the Auto User Provisioning rules.

Can users still enable Two Factor Authentication to login to Keystash?

Yes, users can still enable Two Factor Authentication (2FA) to add an extra layer of security to their Keystash account. 2FA can be enabled in the user's profile settings.

Can I disable SSO after it has been enabled?

Yes, you can disable SSO at any time by toggling the Enable Single Sign-On switch in the SSO settings. When SSO is disabled, users will need to log in with their Keystash username and password. To do this they will need to use the Forgot Password link on the login page to reset their password.

Can I change the identity provider after SSO has been enabled?

Yes, you can change the identity provider. However, you will need to reach out to Keystash Support to ensure that users can continue to use their existing accounts with the new identity provider. This is because the user's account is linked to the identity provider.

Can users who have single sign-on enabled login to the API?

No, the API does not use single sign-on authentication. If you use single sign-on (SSO) and want to make use of the API, you will need to create a user that does not use single sign-on. To do this, create a user in Keystash, click Save and when prompted select Username and Password. This user can then be used to authenticate with the API.